analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sample7.exe

Full analysis: https://app.any.run/tasks/a5dd63bc-b1a8-454c-bad1-dabb03034ef1
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: September 19, 2019, 08:40:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
emotet
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

84D45E292AE19E38A9D5CCD91964332D

SHA1:

9233AD5937611CD3CFE3F740D7245144AB13F1D3

SHA256:

E101BD7848E99C95F3773C13E22A998022E003247DFB7FA0EB4D43191577BE71

SSDEEP:

6144:LvjNzFHLlUBpZuEN9TFzqwv3465f895atHXWG0C1firMo2q10pxeIBcB47p0/:LvjNhHL4wIT8wftW5y0CIMo2pHeIBv7u

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Emotet process was detected

      • sample7.exe (PID: 3412)
    • EMOTET was detected

      • easywindow.exe (PID: 2068)
    • Connects to CnC server

      • easywindow.exe (PID: 2068)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • sample7.exe (PID: 3412)
    • Starts itself from another location

      • sample7.exe (PID: 3412)
    • Connects to server without host name

      • easywindow.exe (PID: 2068)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (46.3)
.exe | Win64 Executable (generic) (41)
.exe | Win32 Executable (generic) (6.6)
.exe | Generic Win/DOS Executable (2.9)
.exe | DOS Executable Generic (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:09:18 20:23:24+02:00
PEType: PE32
LinkerVersion: 7.1
CodeSize: 155648
InitializedDataSize: 241664
UninitializedDataSize: -
EntryPoint: 0xd7fd
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.1.7601.17514
ProductVersionNumber: 6.1.7601.17514
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Display Control Panel
FileVersion: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
InternalName: DISPLAY
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: DISPLAY.DLL
ProductName: Microsoft® Windows® Operating System
ProductVersion: 6.1.7601.17514

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 18-Sep-2019 18:23:24
Detected languages:
  • English - United States
CompanyName: Microsoft Corporation
FileDescription: Display Control Panel
FileVersion: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
InternalName: DISPLAY
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFilename: DISPLAY.DLL
ProductName: Microsoft® Windows® Operating System
ProductVersion: 6.1.7601.17514

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 18-Sep-2019 18:23:24
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00025B4E
0x00026000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.59162
.rdata
0x00027000
0x0000B9EE
0x0000C000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.22909
.data
0x00033000
0x00018074
0x00015000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.78593
.rsrc
0x0004C000
0x000150F0
0x00016000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.42532

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.55026
912
UNKNOWN
English - United States
RT_VERSION
2
3.02695
308
UNKNOWN
English - United States
RT_CURSOR
3
2.74274
180
UNKNOWN
English - United States
RT_CURSOR
4
2.34038
308
UNKNOWN
English - United States
RT_CURSOR
5
2.34004
308
UNKNOWN
English - United States
RT_CURSOR
6
2.51649
308
UNKNOWN
English - United States
RT_CURSOR
7
2.27047
92
UNKNOWN
English - United States
RT_STRING
8
2.34864
308
UNKNOWN
English - United States
RT_CURSOR
9
2.34505
308
UNKNOWN
English - United States
RT_CURSOR
10
2.34864
308
UNKNOWN
English - United States
RT_CURSOR

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
OLEACC.dll (delay-loaded)
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WINMM.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
8
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start sample7.exe no specs sample7.exe no specs sample7.exe no specs #EMOTET sample7.exe easywindow.exe no specs easywindow.exe no specs easywindow.exe no specs #EMOTET easywindow.exe

Process information

PID
CMD
Path
Indicators
Parent process
3684"C:\Users\admin\AppData\Local\Temp\sample7.exe" C:\Users\admin\AppData\Local\Temp\sample7.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2492"C:\Users\admin\AppData\Local\Temp\sample7.exe" C:\Users\admin\AppData\Local\Temp\sample7.exesample7.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2676--8d99d531C:\Users\admin\AppData\Local\Temp\sample7.exesample7.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3412--8d99d531C:\Users\admin\AppData\Local\Temp\sample7.exe
sample7.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2616"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exesample7.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3504"C:\Users\admin\AppData\Local\easywindow\easywindow.exe"C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3604--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exeeasywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2068--fd47f3b8C:\Users\admin\AppData\Local\easywindow\easywindow.exe
easywindow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Control Panel
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
117
Read events
103
Write events
14
Delete events
0

Modification events

(PID) Process:(2068) easywindow.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\easywindow_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2068) easywindow.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\easywindow_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2068) easywindow.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\easywindow_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2068) easywindow.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\easywindow_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(2068) easywindow.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\easywindow_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2068) easywindow.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\easywindow_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2068) easywindow.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\easywindow_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2068) easywindow.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\easywindow_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2068) easywindow.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\easywindow_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2068) easywindow.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\easywindow_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
1
Suspicious files
8
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3684sample7.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2fbinary
MD5:165A124C64EAC8B6D8B6019828325BE6
SHA256:8CE23A0C0609B458F8BD2B845712025D7D3682415FBC809EB567B640CB86A9D2
3604easywindow.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2fbinary
MD5:3DD71FDF9A91A99DE9B726DE80E5BE43
SHA256:20ED443954F9C3BB6C676D145940E1BD8E478B89AF74816D0E6121E1D24161D5
2676sample7.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2fbinary
MD5:76B2739F9396FC5593FBB2BD417E2862
SHA256:8BF3301C4B19308F95108ECD24882D91D7419AAD2E9CA69C341759DE6099B6E1
2616easywindow.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2fbinary
MD5:383AEAF3EC8098D44FF320E3BA47FEC3
SHA256:3C469B026295B912D4181D7DB3CBDECC61B36E65DCB3AB93EED2F83151AC82CE
3412sample7.exeC:\Users\admin\AppData\Local\easywindow\easywindow.exeexecutable
MD5:84D45E292AE19E38A9D5CCD91964332D
SHA256:E101BD7848E99C95F3773C13E22A998022E003247DFB7FA0EB4D43191577BE71
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
71
TCP/UDP connections
71
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2068
easywindow.exe
POST
189.166.68.89:443
http://189.166.68.89:443/arizona/
MX
malicious
2068
easywindow.exe
POST
114.79.134.129:443
http://114.79.134.129:443/ban/loadan/ringin/
IN
malicious
2068
easywindow.exe
POST
217.113.27.158:443
http://217.113.27.158:443/ringin/
AM
malicious
2068
easywindow.exe
POST
404
187.149.84.80:8080
http://187.149.84.80:8080/splash/
MX
xml
345 b
malicious
2068
easywindow.exe
POST
404
71.244.60.231:7080
http://71.244.60.231:7080/ringin/
US
xml
345 b
malicious
2068
easywindow.exe
POST
404
183.87.87.73:80
http://183.87.87.73/prov/
IN
xml
345 b
malicious
2068
easywindow.exe
POST
404
46.29.183.211:8080
http://46.29.183.211:8080/acquire/
LU
xml
345 b
malicious
2068
easywindow.exe
POST
404
200.21.90.6:8080
http://200.21.90.6:8080/between/
CO
xml
345 b
malicious
2068
easywindow.exe
POST
404
88.250.223.190:8080
http://88.250.223.190:8080/forced/
TR
xml
345 b
malicious
2068
easywindow.exe
POST
404
119.59.124.163:8080
http://119.59.124.163:8080/taskbar/
TH
xml
345 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2068
easywindow.exe
114.79.134.129:443
D-Vois Broadband Pvt Ltd
IN
malicious
2068
easywindow.exe
187.149.84.80:8080
Uninet S.A. de C.V.
MX
malicious
2068
easywindow.exe
189.166.68.89:443
Uninet S.A. de C.V.
MX
malicious
2068
easywindow.exe
71.244.60.231:7080
Frontier Communications of America, Inc.
US
malicious
2068
easywindow.exe
71.244.60.230:7080
Frontier Communications of America, Inc.
US
malicious
2068
easywindow.exe
119.59.124.163:8080
453 Ladplacout Jorakhaebua
TH
malicious
2068
easywindow.exe
207.180.208.175:8080
River City Internet Group (Primary Networks)
US
malicious
79.127.57.42:80
Asiatech Data Transfer Inc PLC
IR
malicious
2068
easywindow.exe
200.21.90.6:8080
COLOMBIA TELECOMUNICACIONES S.A. ESP
CO
malicious
198.199.106.229:8080
Digital Ocean, Inc.
US
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
2068
easywindow.exe
A Network Trojan was detected
AV TROJAN W32/Emotet CnC Checkin (Apr 2019)
2068
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
2068
easywindow.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
2068
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
2068
easywindow.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
2068
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
2068
easywindow.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 17
2068
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
2068
easywindow.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 21
2068
easywindow.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
196 ETPRO signatures available at the full report
No debug info